Vulnerability Description

Brief Description: Sending a SYN packet to a host with the same source and destination address (including port) causes the system to hang

Detailed Description: Certain TCP/IP implementations are vulnerable to packets that have the same source and destination address (IP address and port number). The best known version is where a SYN packet has a source address and port the same as the destination.

Component(s): TCP/IP implementation

Version(s): varies

Operating System(s): Microsoft Windows 95 (verified)

Other Information: The system being attacked must be reachable using TCP/IP.

Effects:The system hangs.

Detecting the Vulnerability:

* Spoof a packet with the source and destination address of your system and send it to your system.

Fixing the Vulnerability:

* You need to patch the kernel. Contact your vendor asking for the right patch.

* Block IP-spoofed packets by filtering outgoing packets that have a source address different from that of your internal network. A detailed description of this type of filtering is available at: Ingress Filtering (http://ds.internic.net/internet-drafts.draft-ferguson-ingress-filtering-03.txt)

Cataloguing

Keywords:TCP/IP land

Exploiting

Attack Methods or Tools: Not provided.

Related Information

Advisories and Other Alerts: CIAC Advisory I-36, "FreeBSD Denial-of-Service LAND Attacks" (3/16/98) (http:// ciac.llnl.gov/ciac/bulletins/i-036.shtml); CERT Advisory CA-97.28, "IP Denial-of-Service Attacks" (12/16/97) (http:/ /cert.org/cert/advisories/CA-97.28.html)

Related Vulnerabilities: none.

History

First Report We Know Of: by Meltman (meltman@LAGGED.NET), date Bugtraq mailing list, in Thu, 20 Nov 1997 19:40:19 -0500

Revisions of Database Record

1. Matt Bishop(June 10, 1998): Entered into Doves.